This post is for anyone that processes payments or has a client that processes payments with Visa, MasterCard, Discover or American Express. It is the contribution of Larry Sachs, who has over 20 years of experience in the field of IT Security and Compliance and has worked with companies such as Toys ‘R Us and Jet Aviation. Larry is now a Sales Agent for Innovative Merchant Solutions, an Intuit Affiliated Company.
In the local Boulder newspaper, there was recently an article about a nearby store that was burglarized and the only things stolen were financial records and boxes of credit card receipts. Most people may have found this strange, with many big ticket items the thieves wanted credit card receipts. Having been in charge of IT security for 20 years, it didn’t surprise me at all – credit card information is extremely valuable. All you need to do is to enter ‘Credit Card Dumps’ into Google and you’ll see over 2 million sites buying and selling stolen credit card information.
One of the higher ranked sites is www.goldendump.com; the self proclaimed leader in stolen credit card information, with standard cards going for $20 and gold cards selling for as little as $38. These are not kids hacking from a garage, but organized crime protected by foreign governments.
In an effort to protect cardholder information, the major card brands Visa, MasterCard, Discover and American Express established a set of rules called Payment Card Industry Data Security Standards or PCI-DSS for short. By now, anyone that accepts credit card payments, must have already completed a self assessment questionnaire (SAQ) in order to become formally PCI-DSS compliant. Merchants ask me every single day if they really need to be compliant; their wife does the bookkeeping, they only run a few transactions, they have a dial up terminal, etc. The answer – if you store, hold or process credit card information, emphatically yes!
Visa/MasterCard have taken a strong armed approach to force compliance. Fines for non-compliance can reach up to $500,000, plus the merchant must pay all costs for forensics, card re-issuance and fraud in case of a breach. If the merchant manages to survive the fines, they risk having their Visa/MasterCard privileges revoked:
In order to expedite compliance, the vast majority of banks and processors now charge PCI non-compliance fees (Intuit Merchant Services does not). I’ve seen fees as high as $480 per year, and expect them to rise as time goes on. If you are an accounting professional, it’s possible that you bear some liability should your client suffer a breach and you’ve reconciled statements containing these fees.
The bottom line is don’t put it off. It is far less expensive to become compliant than not too, and even though it most likely will not happen to you, the implications of a data breach are devastating.
There are programs available that greatly simplify the process of becoming PCI-DSS compliant, and make your operating environment much more secure at the same time.